Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

join command examples

The following are examples for using the SPL2 join command.

1. Join datasets on fields that have the same name

Combine the results from a search with the vendors dataset. The data is joined on the product_id field, which is common to both datasets.

... | join left=L right=R where L.product_id=R.product_id vendors

2. Join datasets on fields that have different names

Combine the results from a search with the vendors dataset. The data is joined on a product ID field, which have different names. The field in the left-side dataset is product_id. The field in the right-side dataset is pid.

... | join left=L right=R where L.product_id=R.pid vendors

3. Use words instead of letters as aliases

You can use words for the aliases to help identify the datasets involved in the join. This example uses products and vendors for the aliases.

... | join left=products right=vendors where products.product_id=vendors.pid vendors

4. Return all matching rows in the right-side dataset

By default, only the first row of the right-side dataset that matches a row of the source data is returned. To return all of the matching right-side dataset rows, include the max=<int> argument and set the value to 0. This example joins each matching right-side dataset row with the corresponding source data row. This example uses products, which is a saved dataset, for the right-side dataset. In this example the field names in the left-side dataset and the right-side dataset are different.

... | join max=0 left=L right=R where L.vendor_id=R.vid products

5. Return all matching rows in a subsearch

This example uses a subsearch for the right-side dataset.

... | join left=vendor right=products where vendor.vendor_id=products.vid [ <subsearch> ]

See also

join command
join command overview
join command syntax details
join command usage
Last modified on 31 January, 2024
PREVIOUS
join command usage
  NEXT
lookup command overview

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters